Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

duplicate coinbase transactions are allowed, and there are 2 pairs of dups #612

Closed
dmgores opened this issue Nov 7, 2011 · 6 comments
Closed

Comments

@dmgores
Copy link

dmgores commented Nov 7, 2011

take a look at:

block hashes:
0x00000000000271A2DC26E7667F8419F2E15416DC6955E5A6C6CDF3F2574DD08E
0x00000000000743F190A18C5577A3C2D2A1F610AE9601AC046A38084CCB7CD721
they have duplicate coinbase transactions:
0xE3BF3D07D4B0375638D5F1DB5255FE07BA2C4CB067CD81B84EE974B6585FB468
block height 91722, 91880, on 2010-11-14 08:37:28, 2010-11-15 00:36:19

block hashes:
0x00000000000AF0AED4792B1ACEE3D966AF36CF5DEF14935DB8DE83D6F9306F2F
0x00000000000A4D0A398161FFC163C503763B1F4360639393E0E4C8E300E0CAEC
they have duplicate coinbase transactions:
0xD5D27987D2A3DFC724E359870C6644B40E497BDC0589A033220FE15429D88599
block height 91812, 91842, on 2010-11-14 17:59:48, 2010-11-14 21:04:51

The miner was using the same signature "0x0456720E1B00" on all 4 of these coinbase transactions.
The public keys for those two pairs of duplicates were:
"0x4104124B212F5416598A92CCEC88819105179DCB2550D571842601492718273FE
0F2179A9695096BFF94CD99DCCCDEA7CD9BD943BFCA8FEA649CAC963411979A33E9AC"
and
"0x41046896ECFC449CB8560594EB7F413F199DEB9B4E5D947A142E7DC7D2DE0B811
B8E204833EA2A2FD9D4C7B153A8CA7661D0A0B7FC981DF1F42F55D64B26B3DA1E9CAC"

  • Should we allow this guy to spend his duplicate transactions? This would make code and data structures more complex for eternity... when verifying transactions we'd have to get a list of transactions for each hash, instead of just a single transaction... and mark a non-spent one as newly spent.
  • Or should we make a rules like "no more duplicate transactions when height > 91880" and "only one of a set of existing duplicate transactions are spendable coinbase"? I like this. :) Come on, we totally should have rejected those duplicate transactions!
@dmgores
Copy link
Author

dmgores commented Nov 7, 2011

FYI none of those transaction outputs have been spent yet.

@TheBlueMatt
Copy link
Contributor

Its been long known that one can generate duplicate coinbase transactions. Currently, if a miner modifies their bitcoind to create duplicate coinbase transactions, they will be able to spend one of the two transactions and the remaining ones will be unspendable. I see no reason to make major rules modifications to help those who broke their own coins.

@dmgores
Copy link
Author

dmgores commented Nov 7, 2011

OK, thanks!

@dmgores dmgores closed this as completed Nov 7, 2011
@TheBlueMatt
Copy link
Contributor

Oops, yea you can MineA SpendA MineA SpendA, but not MineA MineA SpendA SpendA.

@JonasPertschy
Copy link

In sense of completeness: CVE-2012-1910

ptschip pushed a commit to ptschip/bitcoin that referenced this issue May 30, 2017
fjahr pushed a commit to fjahr/bitcoin that referenced this issue Jul 24, 2019
…tecture

d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture (Roman Zeyde)

Pull request description:

  It would allow using optimized field operations on the TREZOR device, which is using ARMv7 Cortex-M4.
  Following trezor/trezor-core#500 and part of trezor/trezor-firmware#66.

Tree-SHA512: 73c0f03503feff01c6f4efd884e916ae1f43f55d525e8c3ea9372cf777aef6901585b74774c316dd7937abfff5e86be5b1acb569f9eeee9b73ae088f0f6b589d
elichai added a commit to elichai/bitcoin that referenced this issue Aug 22, 2019
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: e729cc7
sipa added a commit to sipa/bitcoin that referenced this issue Sep 24, 2019
2e4ed392e1 f add tweak functions for xonly_pubkeys
add8e78542 f use xonly_pubkeys in schnorrsig sign and verify
7eeb3aa498 f add xonly pubkey struct which is serialized as 32 byte and whose Y coordinate is a quadratic residue
2e76c5dc6d f don't allow counter != 0 in nonce function
639a8599ec f use tagged hashes in nonce derivation and signature hash
6bd94240b7 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
8fcee9ab05 add chacha20 function
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 2e4ed392e1fd8cb7c64787bde9b67ddc0b463e3d
kallewoof pushed a commit to kallewoof/bitcoin that referenced this issue Oct 4, 2019
52ef283 Improve the fedpeg test with extra double claim tests (Steven Roose)
48a82fa Make claimpegin fail in the case of a double claim (Steven Roose)
af22646 Prevent pegin double spends from entering the mempool (Steven Roose)
50c5570 Report IsValidPeginWitness error message (Steven Roose)

Pull request description:

  Fixes bitcoin#612 and bitcoin#613.

  - prevents a double claim from entering mempool
  - makes `claimpegin` throw an exception when trying to double claim a pegin
  - check the last commit message on all the extra cases that are tested.

Tree-SHA512: dd9602cd4bc78a3e8f7a6b566f881ede09dba54900425348c1eb528268a3e869416e3c9ca97c1a8da4d120875ef59c4e21a857256312ce77e06b7b6ae04abf92
kallewoof pushed a commit to kallewoof/bitcoin that referenced this issue Oct 4, 2019
44db4d8 Merge pull request bitcoin#57 from apoelstra/2019-04-surjectionproof-stack
f7e4d08 surjection proof: Reject proofs with too many used inputs in reduced mode
112edb2 allow reducing surjection proof size (to lower generation stack usage)
d512d78 surjectionproof: introduce `SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS` constant and set it to 16
a118acc surjectionproof: reduce stack usage
e7f4ff4 Merge pull request bitcoin#70 from apoelstra/2019-06-surjection-count
f94d46e Merge pull request bitcoin#71 from real-or-random/fix-trailing-test
49a1e01 surjectionproof: fix malleability in surjection proof parsing
55311b0 Fix read of wrong buffer (and OOB) in surjectionproof tests
290a27b surjectionproof: add test vectors for "set padding bits"
7bc3daa surjectionproof: add fixed test vectors
6f3b0c0 Improve comments for surctionproof init+alloc/destroy funcs
250ebb3 work in progress: add _allocate_initialized/destroy funcs
4a77633 Improve explanation of key cancellation attack in whitelist.md
898c9f0 Clarify how to derive alternative generator H
15d9278 Add bench_generator and bench_rangeproof to .gitignore
86240b2 Clean up ./configure help strings (zkp extensions)
865b761 Fix a small typo in the generator parameter name
cd5ba5c generator: remove `CHECK` abort calls exposed by public API
ff16651 musig: add user documentation
0ad6b60 Add 3-of-3 MuSig example
b61a1a9 Add MuSig module which allows creating n-of-n multisignatures and adaptor signatures.
5d5374f Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
a8ae6ba add chacha20 function
9a8a71e use proper types for rangeproof min/max
14769b9 rangeproof: reduce iteration count in unit tests
0593861 Enable more builds with rest of experimental flags
e9fea74 Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting
dec1b9c Add comment to explain effect of max_n_iterations in surjectionproof_init
ea62bfe add unit test for generator and pedersen commitment roundtripping
e32924f rangeproof: fix serialization of pedersen commintments
972d056 rangeproof: verify correctness of pedersen commitments when parsing
2cc4c6f generator: verify correctness of point when parsing
65ffea4 rangeproof: check that points deserialize correctly when verifying rangeproof
cb786d6 rangeproof: add fixed vector test case
b387ba0 Expose generator in shared library
8da4328 fix spelling in documentation
6f14fe4 Test for rejection of trailing bytes in range proofs
ab4fbc1 Test for rejection of trailing bytes in surjection proofs
c908c97 Reject surjection proofs with trailing garbage
f723bf5 Minor bugfix. Wrong length due to NUL character.
6872069 Add whitelisting benchmark
6ceccb7 add whitelist_impl.h to include for dist
a3ad4a8 generator: add API tests
e93e886 generator: remove unnecessary ARG_CHECK from generate()
f1d6e4b Fix generator makefile
68be611 Fix pedersen_blind_generator_blind_sum return value documentation
51fc58a Add n_keys argument to whitelist_verify
36b100c Fix checks of whitelist serialize/parse arguments
c8f54e1 whitelist: fix serialize/parse API to take serialized length
56fca50 Fix include/secp256k1_rangeproof.h function argument documentation.
4617f04 rangeproof: add API tests
cd4e438 surjectionproof: rename unit test functions to be more consistent with other modules
2cc7f1e surjectionproof: add API unit tests
c4097f7 surjectionproof: tests_impl.h s/assert/CHECK/g
5ee6bf3 rangeproof: fix memory leak in unit tests
94e81a2 add surjection proof module
a66ea35 Implement ring-signature based whitelist delegation scheme
2bb5133 rangeproof: several API changes
9b00b61 Expose generator in pedersen/rangeproof API
54fa263 Constant-time generator module
023aa86 rangeproof: expose sidechannel message field in the signing API
89e7451 [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup
f126331 Pedersen commitments, borromean ring signatures, and ZK range proofs.
e1fb4af Add 64-bit integer utilities
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
b19c000 Merge bitcoin#607: Use size_t shifts when computing a size_t
4d01bc2 Merge bitcoin#606: travis: Remove unused sudo:false
e6d01e9 Use size_t shifts when computing a size_t
7667532 travis: Remove unused sudo:false
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
ee99f12 Merge bitcoin#599: Switch x86_64 asm to use "i" instead of "n" for immediate values.
d58bc93 Switch x86_64 asm to use "i" instead of "n" for immediate values.
05362ee Merge bitcoin#597: Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
8348386 Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
aa15154 Merge bitcoin#568: Fix integer overflow in ecmult_multi_var when n is large
2277af5 Fix integer overflow in ecmult_multi_var when n is large
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
85d0e1b Merge bitcoin#591: Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
1419637 Merge bitcoin#580: Add trivial ecmult_multi algorithm which does not require a scratch space
a697d82 Add trivial ecmult_multi to the benchmark tool
bade617 Add trivial ecmult_multi algorithm. It is selected when no scratch space is given and just multiplies and adds the points.
5545e13 Merge bitcoin#584: configure: Use CFLAGS_FOR_BUILD when checking native compiler
20c5869 Merge bitcoin#516: improvements to random seed in src/tests.c
b76e45d Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
870a977 Merge bitcoin#562: Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
be40c4d Fixup for C90 mixed declarations.
c71dd2c Merge bitcoin#509: Fix algorithm selection in bench_ecmult
6492bf8 Merge bitcoin#518: Summarize build options after running configure
0e9ada1 Merge bitcoin#567: Correct order of libs returned on pkg-config --libs --static libsecp2…
e96901a Merge bitcoin#587: Make randomization of a non-signing context a noop
58df8d0 Merge bitcoin#511: Portability fix for the configure scripts generated
2ebdad7 Merge bitcoin#552: Make constants static:
1c131af Merge bitcoin#551: secp256k1_fe_sqrt: Verify that the arguments don't alias.
ba698f8 Merge bitcoin#539: Assorted minor corrections
949e85b Merge bitcoin#550: Optimize secp256k1_fe_normalize_weak calls.
a34bcaa Actually pass CFLAGS_FOR_BUILD and LDFLAGS_FOR_BUILD to linker
2d5f4ce configure: Use CFLAGS_FOR_BUILD when checking native compiler
b408c6a Merge bitcoin#579: Use __GNUC_PREREQ for detecting __builtin_expect
6198375 Make randomization of a non-signing context a noop
c663397 Use __GNUC_PREREQ for detecting __builtin_expect
3cb057f Fix possible integer overflow in DER parsing
89a20a8 Correct order of libs returned on pkg-config --libs --static libsecp256k1 call.
d3cb1f9 Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
496c5b4 Make constants static: static const secp256k1_ge secp256k1_ge_const_g; static const int CURVE_B;
bf8b86c secp256k1_fe_sqrt: Verify that the arguments don't alias.
9bd89c8 Optimize secp256k1_fe_normalize_weak calls. Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead.
52ab96f clean dependendies in field_*_impl.h
deff5ed Correct math typos in field_*.h
4efb3f8 Add check that restrict pointers don't alias with all parameters.
3965027 Summarize build options in configure script
0f05173 Fix algorithm selection in bench_ecmult
8b3841c fix bug in fread() failure check
cddef0c tests: add warning message when /dev/urandom fails
270f6c8 Portability fix for the configure scripts generated
REVERT: 43dd1f4 Merge pull request bitcoin#40 from instagibbs/size_t
REVERT: 6532fa0 Merge pull request bitcoin#39 from instagibbs/more_builds
REVERT: 2b2429d rangeproof: reduce iteration count in unit tests
REVERT: 12b0e5d Enable more builds with rest of experimental flags
REVERT: 8c444ee use proper types for rangeproof min/max
REVERT: 53ad841 Add explanation about how BIP32 unhardened derivation can be used to simplify whitelisting
REVERT: 71c5fe0 Add comment to explain effect of max_n_iterations in surjectionproof_init
REVERT: 85fd42f add unit test for generator and pedersen commitment roundtripping
REVERT: 2ccf885 rangeproof: fix serialization of pedersen commintments
REVERT: 60c173b rangeproof: verify correctness of pedersen commitments when parsing
REVERT: 32d7526 generator: verify correctness of point when parsing
REVERT: ae14e8a rangeproof: check that points deserialize correctly when verifying rangeproof
REVERT: 44fe43d rangeproof: add fixed vector test case
REVERT: e065d7d Expose generator in shared library
REVERT: fb1ba32 fix spelling in documentation
REVERT: fb75faa Test for rejection of trailing bytes in range proofs
REVERT: 9b2cf17 Test for rejection of trailing bytes in surjection proofs
REVERT: a3a1800 Reject surjection proofs with trailing garbage
REVERT: 0c77ae9 Minor bugfix. Wrong length due to NUL character.
REVERT: b1f31bc Add whitelisting benchmark
REVERT: 52a9f8f add whitelist_impl.h to include for dist
REVERT: a707865 generator: add API tests
REVERT: ec1ef04 generator: remove unnecessary ARG_CHECK from generate()
REVERT: b0e9aa8 Fix generator makefile
REVERT: 526c654 Fix pedersen_blind_generator_blind_sum return value documentation
REVERT: b51886e Add n_keys argument to whitelist_verify
REVERT: 37c57de Fix checks of whitelist serialize/parse arguments
REVERT: 9b8a9d9 whitelist: fix serialize/parse API to take serialized length
REVERT: 7f17515 Fix include/secp256k1_rangeproof.h function argument documentation.
REVERT: 0d81702 rangeproof: add API tests
REVERT: 417bb06 surjectionproof: rename unit test functions to be more consistent with other modules
REVERT: 1e2d5c1 surjectionproof: add API unit tests
REVERT: 7878a29 surjectionproof: tests_impl.h s/assert/CHECK/g
REVERT: e609591 rangeproof: fix memory leak in unit tests
REVERT: 0c17f79 add surjection proof module
REVERT: c174f0c Implement ring-signature based whitelist delegation scheme
REVERT: a2bc660 rangeproof: several API changes
REVERT: 21bfb3c Expose generator in pedersen/rangeproof API
REVERT: f4620de Constant-time generator module
REVERT: d46fc3c rangeproof: expose sidechannel message field in the signing API
REVERT: cf40b1b [RANGEPROOF BREAK] Use quadratic residue for tie break and modularity cleanup
REVERT: 6d28767 Get rid of precomputed H tables (Pieter Wuille)
REVERT: ae1e576 Pedersen commitments, borromean ring signatures, and ZK range proofs.
REVERT: efc61dc Add 64-bit integer utilities

git-subtree-dir: src/secp256k1
git-subtree-split: 44db4d801fff3cd94105136cb443d603683baad2
sipa added a commit to sipa/bitcoin that referenced this issue Nov 6, 2019
9d5373307c f add new bip-schnorr test vector 14
44881b21e3 f rename is_positive in schnorrsig module to has_square_y
affa6e87e9 f rename is_positive in xonly_pubkey api to has_square_y
b5fcf54149 f uninitialized memory in tests
7e4ea97582 f trigger travis
538052c950 f reenable test vectors
26f95c556a f feed seckey that is actually signed with (i.e. perhaps negated) into nonce functions
2b36bf7db3 f sign -> is_positive
dfce048bde f remove xonly_pubkey_to_pubkey
74bb3b4318 f don't use secp256k1_pubkeys in xonly_tweak api and instead use is_positive flag
5764b2b2b7 f test that pubkey is zeroed after xonly_pubkey_parse returned 0
e28b61c290 f const casting
84fe42737d f address some of pieter's comments
2e4ed392e1 f add tweak functions for xonly_pubkeys
add8e78542 f use xonly_pubkeys in schnorrsig sign and verify
7eeb3aa498 f add xonly pubkey struct which is serialized as 32 byte and whose Y coordinate is a quadratic residue
2e76c5dc6d f don't allow counter != 0 in nonce function
639a8599ec f use tagged hashes in nonce derivation and signature hash
6bd94240b7 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
8fcee9ab05 add chacha20 function
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 9d5373307cfad5fa1b53820d417a8155d2d557dc
sipa added a commit to sipa/bitcoin that referenced this issue Nov 19, 2019
c86c6cff66 Fixup rename
41b7be1dac f rename xonly_pubkey_tweak_verify to xonly_pubkey_tweak_test and add a few notes that this does not verify anything cryptographically
a36d45d597 f don't use ec_pubkey_parse indirection in xonly_pubkey_parse
a8686b9670 f don't use ec_pubkey_parse indirection in xonly_pubkey_parse
19c144ccca f rename schnorrsig_real_verify because it doesn't verify
7dbb2e8f9b f add macro SECP256K1_LEN_XONLY_PUBKEY equal to 32 to allow reducing magic numbers in calling code
a87a0576dc f Move most of ec_pubkey_absolute into ge_absolute to make it available to functions which don't operate on pubkeys but on group elements.
d727cb31c0 Add taproot test case to schnorrsig module
e8b8e794b7 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
69f1e8923d Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
641ba4a238 Add chacha20 function
4d84cb8fdc Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
0a3a7f9b6c Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: c86c6cff663e6c928c668623da2fced18e338ff5
sipa added a commit to sipa/bitcoin that referenced this issue Jan 21, 2020
df8c69879 f rename private to secret key to be compatible with PR 701
59f2fd7c1 f add test that xonly_add zeroes the output on failure
af3f0e52a f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
6e0290679 f is_negated and added test
1901f3bf9 Add taproot test case to schnorrsig module
6a7ee8a86 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
c6473591a Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
fd9609d7c Add chacha20 function
1abbe1bb6 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
9eb303a0f Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: df8c698793a51639b6fdb5b908b1ddfaedbe1fd5
sipa added a commit to sipa/bitcoin that referenced this issue Jan 23, 2020
df8c698793 f rename private to secret key to be compatible with PR 701
59f2fd7c19 f add test that xonly_add zeroes the output on failure
af3f0e52aa f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
6e0290679c f is_negated and added test
1901f3bf9c Add taproot test case to schnorrsig module
6a7ee8a862 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
c6473591a1 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
fd9609d7c5 Add chacha20 function
1abbe1bb6e Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
9eb303a0fa Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: df8c698793a51639b6fdb5b908b1ddfaedbe1fd5
jnewbery added a commit to jnewbery/bitcoin that referenced this issue Mar 17, 2020
819c3a6c1 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdca f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d669 f remove remnants of square Y
8439ce171 f improve nonce_function_bip340 tests
3bb12e339 f reenable test vectors
29bdda7ef f mask key in bip340 nonce function
4650ae812 f add tagged hash for bip340 auxiliary random data
593ceddf2 f add comment about overflowing schnorrsig challenge hashes
23c3b0050 f need to serialize internal pk for tweak in taproot test
4c8cdc644 f use updated schnorrsig BIP340 challenge tag
32dfe512e f update schnorr signing to updated bip 340 nonce tag
92205468c f update bip 340 nonce function tag
3bb25272e f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6b f use extended nonce function in schnorrsigs
7c9f51c18 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c606 f switch from squareness to evenness in schnorrsig sign
ef38b0ca5 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e043 f disable test vectors for now
04c0cf9a6 f typos
c149dbf37 f rename bip-schnorr to BIP-340 and fix links
bb252f13c f rename private to secret key to be compatible with PR 701
8be18c0ac f add test that xonly_add zeroes the output on failure
fc45a12d6 f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d f is_negated and added test
f90656db7 Add taproot test case to schnorrsig module
a61d98658 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6f Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e Add chacha20 function
cb4a86089 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 18, 2020
819c3a6c15 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdcad f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d6692 f remove remnants of square Y
8439ce1719 f improve nonce_function_bip340 tests
3bb12e3391 f reenable test vectors
29bdda7ef3 f mask key in bip340 nonce function
4650ae812e f add tagged hash for bip340 auxiliary random data
593ceddf23 f add comment about overflowing schnorrsig challenge hashes
23c3b0050e f need to serialize internal pk for tweak in taproot test
4c8cdc6440 f use updated schnorrsig BIP340 challenge tag
32dfe512e4 f update schnorr signing to updated bip 340 nonce tag
92205468c3 f update bip 340 nonce function tag
3bb25272e8 f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6bd f use extended nonce function in schnorrsigs
7c9f51c183 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c6061 f switch from squareness to evenness in schnorrsig sign
ef38b0ca53 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e0433 f disable test vectors for now
04c0cf9a6f f typos
c149dbf37b f rename bip-schnorr to BIP-340 and fix links
bb252f13cd f rename private to secret key to be compatible with PR 701
8be18c0ac9 f add test that xonly_add zeroes the output on failure
fc45a12d6c f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d6 f is_negated and added test
f90656db7a Add taproot test case to schnorrsig module
a61d986587 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6fb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e7 Add chacha20 function
cb4a86089d Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd4 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 18, 2020
819c3a6c15 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdcad f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d6692 f remove remnants of square Y
8439ce1719 f improve nonce_function_bip340 tests
3bb12e3391 f reenable test vectors
29bdda7ef3 f mask key in bip340 nonce function
4650ae812e f add tagged hash for bip340 auxiliary random data
593ceddf23 f add comment about overflowing schnorrsig challenge hashes
23c3b0050e f need to serialize internal pk for tweak in taproot test
4c8cdc6440 f use updated schnorrsig BIP340 challenge tag
32dfe512e4 f update schnorr signing to updated bip 340 nonce tag
92205468c3 f update bip 340 nonce function tag
3bb25272e8 f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6bd f use extended nonce function in schnorrsigs
7c9f51c183 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c6061 f switch from squareness to evenness in schnorrsig sign
ef38b0ca53 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e0433 f disable test vectors for now
04c0cf9a6f f typos
c149dbf37b f rename bip-schnorr to BIP-340 and fix links
bb252f13cd f rename private to secret key to be compatible with PR 701
8be18c0ac9 f add test that xonly_add zeroes the output on failure
fc45a12d6c f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d6 f is_negated and added test
f90656db7a Add taproot test case to schnorrsig module
a61d986587 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6fb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e7 Add chacha20 function
cb4a86089d Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd4 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 19, 2020
819c3a6c15 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdcad f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d6692 f remove remnants of square Y
8439ce1719 f improve nonce_function_bip340 tests
3bb12e3391 f reenable test vectors
29bdda7ef3 f mask key in bip340 nonce function
4650ae812e f add tagged hash for bip340 auxiliary random data
593ceddf23 f add comment about overflowing schnorrsig challenge hashes
23c3b0050e f need to serialize internal pk for tweak in taproot test
4c8cdc6440 f use updated schnorrsig BIP340 challenge tag
32dfe512e4 f update schnorr signing to updated bip 340 nonce tag
92205468c3 f update bip 340 nonce function tag
3bb25272e8 f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6bd f use extended nonce function in schnorrsigs
7c9f51c183 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c6061 f switch from squareness to evenness in schnorrsig sign
ef38b0ca53 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e0433 f disable test vectors for now
04c0cf9a6f f typos
c149dbf37b f rename bip-schnorr to BIP-340 and fix links
bb252f13cd f rename private to secret key to be compatible with PR 701
8be18c0ac9 f add test that xonly_add zeroes the output on failure
fc45a12d6c f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d6 f is_negated and added test
f90656db7a Add taproot test case to schnorrsig module
a61d986587 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6fb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e7 Add chacha20 function
cb4a86089d Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd4 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 21, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue Mar 22, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue Mar 27, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
jnewbery added a commit to jnewbery/bitcoin that referenced this issue Apr 16, 2020
372c4555c Add schnorrsig_sign to the valgrind ctime test
bf2df4428 f make schnorrsig_sign constant time in edge cases
7178b4430 f add test for overflowing nonce (which is fine)
925e95994 Add taproot test case to schnorrsig module
9971d6ce8 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbaf Add BIP-340 nonce function
a2a1b2cbb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df Add chacha20 function
f59da5a6f Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee8467 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
jnewbery added a commit to jnewbery/bitcoin that referenced this issue Apr 19, 2020
372c4555c Add schnorrsig_sign to the valgrind ctime test
bf2df4428 f make schnorrsig_sign constant time in edge cases
7178b4430 f add test for overflowing nonce (which is fine)
925e95994 Add taproot test case to schnorrsig module
9971d6ce8 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbaf Add BIP-340 nonce function
a2a1b2cbb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df Add chacha20 function
f59da5a6f Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee8467 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue Apr 19, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue May 2, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue May 22, 2020
ccb23e329d valgrind_ctime_test: Add schnorrsig_sign
682a113f3a schnorrsig: Add taproot test case
a0a01a4915 schnorrsig: Add benchmark for sign and verify
fa5b11cbb4 schnorrsig: Add BIP-340 compatible signing and verification
bb888e4f63 schnorrsig: Add BIP-340 nonce function
07963e8843 schnorrsig: Init empty experimental module
87d98a4756 Allow initializing tagged sha256
6f4d0d86a9 extrakeys: Add keypair_xonly_tweak_add
37be855167 extrakeys: Add keypair struct with create, pub and pub_xonly
96ed0dd9d3 Separate helper functions for pubkey_create and seckey_tweak_add
7a3acdcef9 extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test
6d6f3e5fdf Separate helper function for ec_pubkey_tweak_add
4b2febf8fc extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey
d2d45afc16 extrakeys: Init empty experimental module
8f247275a0 Make the secp256k1_declassify argument constant
f39f99b Merge bitcoin#701: Make ec_ arithmetic more consistent and add documentation
39198a0 Merge bitcoin#732: Retry if r is zero during signing
59a8de8 Merge bitcoin#742: Fix typo in ecmult_const_impl.h
4e28465 Fix typo in ecmult_const_impl.h
f862b4c Merge bitcoin#740: Make recovery/main_impl.h non-executable
ffef45c Make recovery/main_impl.h non-executable
2361b37 Merge bitcoin#735: build: fix OpenSSL EC detection on macOS
3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS
84b5fc5 build: fix OpenSSL EC detection on macOS
37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
7e3952a Clarify documentation of tweak functions.
89853a0 Make tweak function documentation more consistent.
41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul
22911ee Rename private key to secret key in public API (with the exception of function names)
5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0
f03df0e Define valid ECDSA keys in the documentation of seckey_verify
5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul
8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows
3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify
9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key
4f27e34 Merge bitcoin#728: Suppress a harmless variable-time optimization by clang in memczero
0199387 Add test for memczero()
52a0351 Suppress a harmless variable-time optimization by clang in memczero
8f78e20 Merge bitcoin#722: Context isn't freed in the ECDH benchmark
ed1b911 Merge bitcoin#700: Allow overriding default flags
85b35af Add running benchmarks regularly and under valgrind in travis
ca4906b Pass num of iters to benchmarks as variable, and define envvar
02dd5f1 free the ctx at the end of bench_ecdh
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
ca739cb Compile with optimization flag -O2 by default instead of -O3
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual)
ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables
613c34c Remove test in configure.ac because it doesn't have an effect
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: ccb23e329d34e6717528c81c3bed76c7a45c547b
sipa added a commit to sipa/bitcoin that referenced this issue Jun 9, 2020
2ed54da Merge bitcoin#755: Recovery signing: add to constant time test, and eliminate non ct operators
2860950 Add tests for the cmov implementations
73596a8 Add ecdsa_sign_recoverable to the ctime tests
2876af4 Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery
5e1c885 Merge bitcoin#754: Fix uninit values passed into cmov
f79a7ad Add valgrind uninit check to cmovs output
05d315a Merge bitcoin#752: autoconf: Use ":" instead of "dnl" as a noop
a39c2b0 Fixed UB(arithmetics on uninit values) in cmovs
3a6fd7f Merge bitcoin#750: Add macOS to the CI
5e8747a autoconf: Use ":" instead of "dnl" as a noop
71757da Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh
99bd661 Replace travis_wait with a loop printing "\a" to stdout every minute
bc818b1 Bump travis Ubuntu from xenial(16.04) to bionic(18.04)
0c5ff90 Add macOS support to travis
b6807d9 Move travis script into a standalone sh file
f39f99b Merge bitcoin#701: Make ec_ arithmetic more consistent and add documentation
39198a0 Merge bitcoin#732: Retry if r is zero during signing
59a8de8 Merge bitcoin#742: Fix typo in ecmult_const_impl.h
4e28465 Fix typo in ecmult_const_impl.h
f862b4c Merge bitcoin#740: Make recovery/main_impl.h non-executable
ffef45c Make recovery/main_impl.h non-executable
2361b37 Merge bitcoin#735: build: fix OpenSSL EC detection on macOS
3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS
84b5fc5 build: fix OpenSSL EC detection on macOS
37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
7e3952a Clarify documentation of tweak functions.
89853a0 Make tweak function documentation more consistent.
41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul
22911ee Rename private key to secret key in public API (with the exception of function names)
5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0
f03df0e Define valid ECDSA keys in the documentation of seckey_verify
5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul
8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows
3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify
9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key
4f27e34 Merge bitcoin#728: Suppress a harmless variable-time optimization by clang in memczero
0199387 Add test for memczero()
52a0351 Suppress a harmless variable-time optimization by clang in memczero
8f78e20 Merge bitcoin#722: Context isn't freed in the ECDH benchmark
ed1b911 Merge bitcoin#700: Allow overriding default flags
85b35af Add running benchmarks regularly and under valgrind in travis
ca4906b Pass num of iters to benchmarks as variable, and define envvar
02dd5f1 free the ctx at the end of bench_ecdh
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
ca739cb Compile with optimization flag -O2 by default instead of -O3
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual)
ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables
613c34c Remove test in configure.ac because it doesn't have an effect
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 2ed54da
stackman27 pushed a commit to stackman27/bitcoin that referenced this issue Jun 26, 2020
2ed54da Merge bitcoin#755: Recovery signing: add to constant time test, and eliminate non ct operators
2860950 Add tests for the cmov implementations
73596a8 Add ecdsa_sign_recoverable to the ctime tests
2876af4 Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery
5e1c885 Merge bitcoin#754: Fix uninit values passed into cmov
f79a7ad Add valgrind uninit check to cmovs output
05d315a Merge bitcoin#752: autoconf: Use ":" instead of "dnl" as a noop
a39c2b0 Fixed UB(arithmetics on uninit values) in cmovs
3a6fd7f Merge bitcoin#750: Add macOS to the CI
5e8747a autoconf: Use ":" instead of "dnl" as a noop
71757da Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh
99bd661 Replace travis_wait with a loop printing "\a" to stdout every minute
bc818b1 Bump travis Ubuntu from xenial(16.04) to bionic(18.04)
0c5ff90 Add macOS support to travis
b6807d9 Move travis script into a standalone sh file
f39f99b Merge bitcoin#701: Make ec_ arithmetic more consistent and add documentation
39198a0 Merge bitcoin#732: Retry if r is zero during signing
59a8de8 Merge bitcoin#742: Fix typo in ecmult_const_impl.h
4e28465 Fix typo in ecmult_const_impl.h
f862b4c Merge bitcoin#740: Make recovery/main_impl.h non-executable
ffef45c Make recovery/main_impl.h non-executable
2361b37 Merge bitcoin#735: build: fix OpenSSL EC detection on macOS
3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS
84b5fc5 build: fix OpenSSL EC detection on macOS
37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
7e3952a Clarify documentation of tweak functions.
89853a0 Make tweak function documentation more consistent.
41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul
22911ee Rename private key to secret key in public API (with the exception of function names)
5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0
f03df0e Define valid ECDSA keys in the documentation of seckey_verify
5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul
8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows
3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify
9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key
4f27e34 Merge bitcoin#728: Suppress a harmless variable-time optimization by clang in memczero
0199387 Add test for memczero()
52a0351 Suppress a harmless variable-time optimization by clang in memczero
8f78e20 Merge bitcoin#722: Context isn't freed in the ECDH benchmark
ed1b911 Merge bitcoin#700: Allow overriding default flags
85b35af Add running benchmarks regularly and under valgrind in travis
ca4906b Pass num of iters to benchmarks as variable, and define envvar
02dd5f1 free the ctx at the end of bench_ecdh
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
ca739cb Compile with optimization flag -O2 by default instead of -O3
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual)
ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables
613c34c Remove test in configure.ac because it doesn't have an effect
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 2ed54da
KolbyML pushed a commit to KolbyML/bitcoin that referenced this issue Sep 4, 2020
* Updated from PIVX v3.1.1 (bitcoin#49)

* Merge bitcoin#524: Add blocksizenotify command

44e4d2e Add blocksizenotify command (Jeremy)

Tree-SHA512: 0deb5a883c5d52d0b4e4681fd5ea6c845363ede4299bb59f10a22b23f00aff4e5bb62a7954b752d7d33db5a422ec169f60360868296aa833849cc3e35145250b

* Merge bitcoin#528: Readme changes

42fa274 Readme changes (Sieres)

Tree-SHA512: d5112531283a9554fd6c01ba75bda532cf8cebffc98ea16e7432663f88a9fe1378ba40eb242e6daf8b1666ba1f276f885bdd7a4a8c3300a04cf855d2150749ec

# Conflicts:
#	README.md

* Merge bitcoin#518: [Wallet] Combine fees when possible and fix autocombine insufficient funds

eb603b4 [Wallet] Fix autocombine (warrows)
3f9e746 [Wallet] Combine change to output when possible & provide it in autocombine (warrows)
10426c7 [Wallet] Increase fee margin to up to 10% of autocombine send (warrows)

Tree-SHA512: e3452b0862b30c5c7f21697d12485e7b009dda3b4225e9685209425cb4a16baf35dd9d591b39ece077c3314f7c344f23b3810e5d0d840a8003c7d7d09f5c7ae4

# Conflicts:
#	src/wallet.cpp

* Merge bitcoin#523: Give high priority to zerocoinspends to make it into the next block.

84a4f91 Give high priority to zerocoinspends to make it into the next block. (presstab)

Tree-SHA512: d7bf91433a2059d8acc4b322dc21b98ca97af7e03d47a7225a8fe0ccb1265c625aaab758071d2b950b07b4d11814e1baca384c213c49215d976d7d9f323e3660

* Merge bitcoin#533: [Doc] Update OSX build notes: zmq, libevent, and notes to handle possible glibtoolize error

fde9f94 osx build notes: libzmq -> zmq in brew install, add libevent (Tim Uy)

Tree-SHA512: eb44a499c3f42da2a296161bc01be49cd63fbd928c513018010a564cd1192e1000beb1987d536f4ab93782cd2930527552108418e973448c80e6c5a59c2a78ef

# Conflicts:
#	doc/build-osx.md

* Merge bitcoin#532: [Depends] Update depends package versions.

bc4ffd5 [Depends] Update depends package versions. (Fuzzbawls)

Tree-SHA512: 814f769d65657e1bd02daca583dd5b63fc3ee9af53afcabeaafa661fe9e584c484ebfef7763a59d41ac81b4ade03a9d85d40b86b25ab873bf578cfe8063acdd6

# Conflicts:
#	depends/patches/zeromq/0001-fix-build-with-older-mingw64.patch

* Merge bitcoin#538: [Qt] Fix warning dialog popup for the Blockchain Explorer

50088b8 [Qt] Fix warning dialog popup for the Blockchain Explorer (Fuzzbawls)

Tree-SHA512: 5bef022ea6ebbe36dfd58ccc6e0c0b48a2f1268934f4fb0ec34100e05be38b325d0a832e650104b2e1e2741c9d118e7d9894e99dafeb2bf7b5a43f180e597fff

# Conflicts:
#	src/qt/blockexplorer.cpp

* Merge bitcoin#542: [Network] Remove vfReachable and modify IsReachable to only use vfLimited.

38ed737 Remove vfReachable and modify IsReachable to only use vfLimited. (Patrick Strateman)

Tree-SHA512: 8aa61f9abd8356522f3ba71b35497aac07e10333a39ff4b98bb635d1246e6b1be6b0ee0b236944fbfaa558af0e6c0cc219e540eacb2232bc05db393e4a72b088

* Merge bitcoin#526: Refactor ConnectBlock() to segregate state tracking items

00cd668 Refactor ConnectBlock() to segregate state tracking items from the 'Just Check' section. (presstab)

Tree-SHA512: 457019024cd8e786810611efb776dc16e12ed7cb71c9df79bc52d5cab9fe32d55cefaf1653d11e3d348b8008456c613c1fc5f17f53520de5c157a6cc861e8379

# Conflicts:
#	src/main.cpp

* Rename coin name

* Fixed compiling error

* Merge bitcoin#535: [core] Minor refacturing + unused variable removed

7633516 [core] Minor refacturing + unused variable removed (Mrs-X)

Tree-SHA512: aa43dec1f95b56bfd8ae51ec3ea8e1a23e6011262b39a2492b006802a9da7f52aec99afd3d4e4259067911557a986ba52e18838feb4c7b117345610c3234a16a

* Merge bitcoin#543: [RPC] Segfault pivx-cli getinfo while loading block index

336e3d8 [RPC] Segfault pivx-cli getinfo while loading block index (Mrs-X)

Tree-SHA512: 30bf65f7f527ba78bdcd0e2fef4da77f15a049f605a0cb3000b565c0e19e8dd274a137d1371435c0793617004591757b6b5e31029ed7a247d46bb6368cfec88b

* Merge bitcoin#539: [RPC] Allow watchonly coins to be shown for listunspent

c3671b5 Allow rpc listunspent to have options for watchonly transactions (blondfrogs)

Tree-SHA512: 5c998c1c5d0da8c4245662e528cbee5f70855fb941baa82524610d6f52810df0a70b6c29677f3f666e33995bf823778a58b2cb3e7b4182a2c644f1b383ba8506

* Merge bitcoin#544: [Trivial] Add debug info for CWallet::ReconsiderZerocoins().

993fcee Add debug info for CWallet::ReconsiderZerocoins(). (presstab)

Tree-SHA512: 494803e04778eec487ae35e12efd2cf3b5acdc094c98913998563d8386d98142b7525d6703a41dabba10e5126041d56c6ddd61e2130ae6f439d23439b7c6ee2c

* Merge bitcoin#552: [Trivial] Fix errant LogPrint in UpdateZPIVSupply

2d5aa5b [Trivial] Fix errant LogPrint in UpdateZPIVSupply (Fuzzbawls)

Tree-SHA512: b514a5aaa04b573af991c2eec518db0593dedd26e917f6275d308719b83059728d51fb9f50b721011393f4a73412998f88315d0587008a1f0cb940a272df6ceb

* Merge bitcoin#551: [Consensus] Require standard transactions for testnet

d3c60aa [Consensus] Require standard transactions for testnet (Fuzzbawls)

Tree-SHA512: ef0d1ed46623ce15d59f63f0c857fbdda7d9cf52825957f631548908cfe03d79f18b9fc5c7cfb01ff14e90b1a6e2f41e190bc64d7f4561a83b5ab2e287ef75a9

* Merge bitcoin#554: [Docs] Added release notes for autocombine and proxy GUI.

68e1a20 [Docs] Added release notes for autocombine and proxy GUI. (warrows)

Tree-SHA512: 59baa3bfe46489c288cc06d4dc9d3fc5486c9d2de5e41574333f1ada5438a9087f754a0c33eabf6bfb92b91ec71ae60464db48b7bed27c00cf7fb683e6e86904

* Merge bitcoin#558: [Core] Remove Gitan-OSX warning for High Sierra builds

390e49b [Core] Remove Gitan-OSX warning for High Sierra builds (Mrs-X)

Tree-SHA512: d914f13ff8f8b4d15334ba4aaea21fa43035489bb2c5932c168a6299095b4e85a9f1bd54cc85a287251956a24bfa384b1998ca051ebc4a75510e4568b891c3d8

* Merge bitcoin#447: [Consensus] Fix compilation with OpenSSL 1.1

094fa11 [Compilation] Add additional information to compile with unsupported SSL (warrows)
903c4f1 [Consensus] Allow for compilation with OpenSSL 1.1 (warrows)

Tree-SHA512: 9c843279cb889e72bb44b019a7859510f4fe39f3a358f18c4d09a35a9bede1d940a07c2c3781f388fdab42bd0e5acd51160e5e0b07a33050e293214b3e4db0a4

* Merge bitcoin#559: [Bug] Segfault with -enableswifttx=0 / -enableswifttx=false

0bc66f3 [Bug] Segfault with -enableswifttx=0 / -enableswifttx=false (Mrs-X)

Tree-SHA512: e71de283ae5708bc7f844ebc7d5cf2a62a2c3928d5164661d66ed0b770eccfa9f84cf69de3d7bdd1dee6160439d916563045dc7d5173e0d70e6c7ec51ac1cbb7

* Merge bitcoin#562: [Wallet/RPC] Add argument to mint zerocoin from specific UTXO

a5123c2 [Documentation] Improve help for mintzerocoin rpc command (warrows)
9a0b734 [Wallet/RPC] Add argument to mint zerocoin from specific UTXO (warrows)

Tree-SHA512: fb5056eb7d81e06b66ced7ea8e92f053a04c0ad71df0eb84a08180ced2edd4313c5fa15fde7345dd1d8f65b1c93480e141049a570abec9dd7c14ecb6f8cde0e3

# Conflicts:
#	src/rpcwallet.cpp

* Merge bitcoin#568: [Qt] Connect automint icon to the UI automint setting change

28466e2 [Qt] connect automint icon to the UI automint setting change (warrows)

Tree-SHA512: 1107b842a0d0a9a7044922a6c997b05fb030dc5e6014217f09e6b769ad685bd5b7bdc32699eb2b6514259d719bdef8bc89b2fe1dd5b59beb0c64185a00783501

* Merge bitcoin#571: [Qt] Update privacy tab info about zeromint on config change

c0ffe24 [Qt] Update privacy tab info about zeromint on config change (warrows)

Tree-SHA512: 54016bef392a010541d1ab3373a0144100dc0b99f3cfed804b395dc0ab08f60bb93c22b52decdfbbabd6e5e39ffcba1d80bd23a92fb9986c722062de1f47ddd7

* Merge bitcoin#570: [Wallet] Add a check on zPIV spend to avoid a segfault

b8185ae [Wallet] Add a check on zPIV spend to avoid a segfault (warrows)

Tree-SHA512: 960c0d06a5fc040e290be334224fd224cf78f698cc99e4db7b618f25085091e19b2e02d906114008bb2e6315d343a46960b5f1f817c5975ac46d62fe498a8843

* Merge bitcoin#572: [Qt] Refresh zPIV balance after resetting mints or spends

992763b [Qt] Refresh zPIV balance after resetting mints or spends (warrows)

Tree-SHA512: bea53d1632e6410144613f4a83de3ed232dc21c05b5eb091b5f6dcde55f67057190708d3493b54a7b243a60c6701054bdc85239625c41d3d5a32c630192b4b54

* Staking zPiv.

# Conflicts:
#	src/chainparams.cpp
#	src/kernel.cpp
#	src/main.cpp
#	src/main.h
#	src/miner.cpp
#	src/qt/forms/zpivcontroldialog.ui
#	src/qt/transactionrecord.cpp
#	src/qt/transactiontablemodel.cpp
#	src/wallet.cpp
#	src/wallet.h
#	src/walletdb.cpp

* Fixed compiling error

* Add libzerocoin::SpendType enum.

This allows for more transaction types using zPIV, including using zPIV without actually spending it (for example if needing to show proof of zPIV for voting or for masternode collateral).

* Validate that the correct spend type is used for zPIV spend and zPIV stake.

* V2 zPIV must have serials that have the 1st byte as 00.

Requiring that v2 zPIV use serials that have the first byte as 00 will make zPIV v2 serials unique from v1 serials. This prevents a 'serial troller' from reminting with someone elses v2 serial and simply changing the version flag to v1 when they spend the zerocoin, which would negate any of the additional v2 requirements.

It is unlikely that many (if any) serials were minted with the first byte as 00. Note that if there are existing v1 zPIV with 00 prefixed serials, it would make them unspendable since the owner would not have an associated private key.

* change to using first nibble as 0xF for v2 serial mark.

* Switch to a new accumulator with the correct modulus.

# Conflicts:
#	src/libzerocoin/Commitment.cpp
#	src/miner.cpp
#	src/wallet.cpp

* Fixed compiling error

* Change zpiv stake to use serial hash.

# Conflicts:
#	src/init.cpp
#	src/qt/transactiontablemodel.cpp
#	src/wallet.cpp

* Fixed compiling error

* Add description for -pivstake= and -zpivstake=.

* Make RPC export/import zerocoins compatible with v2.

* [P2P] Update ActiveProtocol for 70913 protocol version

# Conflicts:
#	src/main.cpp
#	src/version.h

* [Wallet] Add missing variable to 2 AvailableCoins() calls

This is mostly depreciated code since the removal of coinjoin style
privacy (Obfuscation), but the missing boolean variable in these two
calls was causing compiler warnings on newer versions of gcc for always
evaluating to true.

The use of a static `false` was taken from upstream DASH.

* [zPIV] Adjust testnet v2 starting block

* Fix coinbase check. Add override specifiers. Proper init for SetDec.

* [Budget] Change finalization collateral to 5 PIV

* Merge bitcoin#513: [core] Fix masternode broadcast for networks != MAINNET

bc8be7c [core] Fix masternode broadcast for networks != MAINNET (update) (Mrs-X)

Tree-SHA512: de1a713e166a45d26848d45d656ab36d68dc0d52810e0a66865c635442d4ac75a5602dbf39455b986356f17d3552e697607bb4464657b727ebaef0a8580f5657

# Conflicts:
#	src/activemasternode.cpp
#	src/masternode.cpp
#	src/masternode.h

* implemented masternode_broadcast
# Conflicts:
#	src/activemasternode.cpp
#	src/activemasternode.h
#	src/masternode.cpp
#	src/masternode.h
#	src/masternodeman.cpp
#	src/masternodeman.h
#	src/rpcserver.cpp
#	src/rpcserver.h

* Updated fundamental node

* broke up the RPC commands in create/decode/relay
# Conflicts:
#	src/masternode.cpp
#	src/rpcserver.cpp
#	src/rpcserver.h

* Updated fundamental node

* restore protocolVersion (lowered for testing purposes)
# Conflicts:
#	src/masternode.cpp

* factor out GetStrMessage() - define MIN_PEER_MNANNOUNCE
# Conflicts:
#	src/masternode.cpp
#	src/masternode.h

* Updated fundamental node

* use error() instead of LogPrintf()
# Conflicts:
#	src/masternode.cpp

* Style Changes

- don't print masternode ip in the logs
- join fHelp and wrong command clauses
- use more descriptive names for pubkeys variables
- change "result" to "success" and make it a boolean value
- use array for resultsObj in createmasternode all
- use lowercase for json objects
- add detailed output example to decodemasternodebroadcast help
- fix rpcserver.cpp indentation
# Conflicts:
#	src/masternodeman.cpp
#	src/rpcserver.cpp

* Updated fundamental node

* [P2P] Add new spork key and handling logic

- New spork key added
- Sporks signed with the old key are valid until a pre-determined time
- No NEW spork changes can be signed with the old key

# Conflicts:
#	src/chainparams.cpp
#	src/spork.cpp

* [Wallet] use GetTime() for nStartupTime

`nStartupTime` is initalized before the P2P network initialization takes
place, making the use of `GetAdjustedTime()` cause a lock ordering
segfault under certain situations.

* Clean up lockorder data of destroyed mutexes

# Conflicts:
#	src/sync.h

* Clean up apparent locking issues

These locks address compiler warnings when compiling with clang's
`-Wthread-safety-analysis`

* Remove extra typedef

This slipped in from some other testing i was doing, shouldn't be
included yet.

* [Build] Add missing files to src/Makefile.am

These were left out, and break Travis/Gigian building due to them not
being included in the dist tarball.

* Load mint version based on serial parsing.

* Fix typo in ban reason output

* [RPC] Fix spork command input length

Sporks are uint64, but the input variable was being parsed as an int,
causing an out-of-range error for larger values.

* [Qt] Show correct data for MN reward on a zPIV stake block

* [Wallet] Stop removing spent zPIV hashes from map

* [QT] Fix zPIV stake transaction record

# Conflicts:
#	src/qt/transactionrecord.cpp

* GetOldStrMessage() / GetNewStrMessage(): check against both
# Conflicts:
#	src/masternode.cpp
#	src/masternode.h

* Merge bitcoin#513: [core] Fix masternode broadcast for networks != MAINNET

bc8be7c [core] Fix masternode broadcast for networks != MAINNET (update) (Mrs-X)

Tree-SHA512: de1a713e166a45d26848d45d656ab36d68dc0d52810e0a66865c635442d4ac75a5602dbf39455b986356f17d3552e697607bb4464657b727ebaef0a8580f5657

# Conflicts:
#	src/activemasternode.cpp
#	src/masternode.cpp
#	src/masternode.h

* Sign "old" strMessage before nBlockZerocoinV2
# Conflicts:
#	src/masternode.cpp

* minor style change

(replace 'LogPrintf'+'return false' with 'return error')
# Conflicts:
#	src/masternode.cpp

* Fix zPIV mint databasing.

* [Budget] Finalization fixes

# Conflicts:
#	src/masternode-budget.cpp

* Working model for deterministic zPIV.

Deterministic zPIV minting. Unit test added to zerocoin_implementation_tests.cpp. This deterministic generation model will likely be changed with further testing.

Update mapSerialHashes each time SelectStakeCoins() is called.

Better tracking of zPIV mint status updates.

- Removed several walletdb ListMintedCoins reads and replaced them with iterating over the serialhashes map.
- Disconnect block will now update a mint's status that is part of the disconnected block.
- Shorten CTxIn.ToString() print out when it is a zerocoinspend.
- Remove several stake logging items that were flagged with any debug type.
- Use a larger mintpool of 20 mints which will be more likely to see any blockchain mints that are ours.
- Refactor zPIVWallet::SyncWithChain() to not get stuck in an infinite loop.
- Remove locking of cs_main on GetUnconfirmedZerocoinBalance() because it now loops over mapSerialHashes and does not grab any chain data.
- LOCK cs_wallet in CreateCoinStake() once a stake has been found.
- LOCK cs_main when generating accumulator witness.

# Conflicts:
#	src/Makefile.am
#	src/init.cpp
#	src/wallet.cpp

* Fixed compile error and coin name.

* Add zpivTracker.

Add mint maturity filtering.

Directly add wallet transactions from zpiv found on IBD.

Fix ResetZerocoins.

Use pubcoin hashes for mintpool instead of CBigNum.

CBigNum may be a bit slower to iterate.

# Conflicts:
#	src/Makefile.am
#	src/init.cpp
#	src/wallet.h

* Fixed compile error

* Database mints generated by the mintpool.

- Load all generated mints on initialization. Then remove mints from the mintpool that are already known.

* Do not database zerocoinmint too early.

- A mint should only be recorded when it is added to the blockchain, not when it is simply checked for validity.
- Remove a database of zPIV spend that should not be done as well (it is done later in connectblock).

* Check for existence of zpivTracker in ListMintedCoins().

* Use unique databasing for dzpiv and do not database private info.

-Feed majority of zpiv read/write/update operations through zpivTracker.

fix

# Conflicts:
#	src/denomination_functions.cpp
#	src/main.cpp
#	src/qt/privacydialog.cpp
#	src/qt/zVitcontroldialog.cpp
#	src/wallet.cpp
#	src/wallet.h
#	src/walletdb.h
#	src/zvittracker.cpp

* [Qt] Fix zPIV transactions details

* [Core] Guard against a segfault in serialization

* [GUI] Update GUI depending on SPORK_16 without restart

# Conflicts:
#	src/qt/privacydialog.cpp

* Fixed coin name

* [Staking] Fix MintableCoins and fMintableCoins

This fixes an edge case where `fMintableCoins` evaluates to `false`
during initialization, which was causing an infinate loop in the staking
thread.

Also refactor `MintableCoins()` to allow for cases when PIV balance is 0
but zPIV balance is not (and wallet has eligible zPIV mints)

# Conflicts:
#	src/miner.cpp

* [Wallet] Fix GetImmatureZerocoinBalance

need to use `GetUnconfirmedZerocoinBalance()` instead of
`GetUnconfirmedBalance()` here.

* [P2P] Guard CInv::ToString against unknown types

* Fix parsing of QT transaction records on fresh import of seed.

# Conflicts:
#	src/qt/transactionrecord.cpp

* Fixed compile error

* Correct confirmation count on qt transaction records.

* Use 1 second GUI update time.

* Handle generating witness from mint less than checkpointed value.

* Fix segfault on chainparams.

* Remove AddToWallet() from miner.cpp.

* Remove uneeded lock on createcoinstake().

* Make zPiv wallet consistently use nCount as the last count used and remove comparison against nCountLastGenerated that resulted in adding to the mintpool every time the wallet got opened.

# Conflicts:
#	src/zvitwallet.cpp

* Make sure mints are added to zerocoinDB even when it is a zcspend.

* Add -reindexzerocoin arg to wipe zerocoindb and reindex blockchain.

# Conflicts:
#	src/init.cpp

* Fix mature zPIV balance calculation

Overview and Privacy tabs were missing the subtraction of unconfirmed
zPIV in their calculation.

# Conflicts:
#	src/qt/overviewpage.cpp

* Don't exit early in ReconsiderZerocoins

Only exit if **BOTH** listMints and listDMints are empty.

* Fix timing inconsistency with mature/unconfirmed zpiv balances

This fixes a timing issue where a zPIV mint that had not yet been
included in a block was being incorrectly accounted for in the
"Mature/Spendable/Available" balance until it was included in a block.

Now, the new mint is correctly accounted as "Unconfirmed" right away.

* Load only the mintpool for the current seed, prevent the generation of mints already in the mintpool, and prevent the zpivwallet count from being updated when an error occurs during zpiv minting.

* Fix MintPool logprint.

* Do not try to add all zpiv stakes on init.

* Fix QT transaction record when staking zpiv that was not deterministic.

- Also add full information about merkle tree to the WalletTx.

# Conflicts:
#	src/qt/transactionrecord.cpp

* zpivTracker better check for orphans. Also no redundant adding wtx's.

* Remove balance check from CreateCoinStake().

* Use correct params for spend when checking serial in miner.

* Fix checking if mint is in chain.

* Fixed compile error

* [Qt] Properly set involvesWatchAddress in the transaction record

This prevents "the eye" from watching you when it shouldn't

* [Qt] Fix mn reward showing as zPIV stake

# Conflicts:
#	src/qt/transactionrecord.cpp

* [Qt] Fix normal PIV transaction record amount

* [Wallet] Fix compilation on windows

* Encryption of zpiv seeds

seed routed through wallet before db to be encrypted (if IsCrypted())

when crypting, the hash of the vMasterKey is used as nIV

# Conflicts:
#	src/init.cpp
#	src/qt/multisigdialog.cpp
#	src/walletdb.cpp
#	src/walletdb.h
#	src/zvitwallet.cpp

* Fixed compile error

* [Qt] Fix another instance of a wayward eye

# Conflicts:
#	src/qt/transactionrecord.cpp

* [Budget] Add debug to find 'Couldn't find opReturn' error

* [Budget] Fix 'Couldn't find opReturn' error 1

# Conflicts:
#	src/masternode-budget.cpp

* Updated fundamental node

* [Budget] Remove obsolete finalized budgets + better debug info

* Updated fundamental node

* [Budget] Add debug info to CBudgetManager::IsTransactionValid()

* Updated fundamental node

* [Budget] Add debug info to CFinalizedBudget::IsTransactionValid()

* Updated fundamental node

* Mark orphan zPIV stake input as not used.

Change listMints() to std::set. Add mapPendingSpends to track spends.

-Change to set to reduce BigO complexity.
-add mapPendingSpends to keep track of spends that were made so that they do not get considered as falsly marked as not used while they are in the mempool.

Check mempool for pending spends.

# Conflicts:
#	src/miner.cpp
#	src/qt/privacydialog.cpp
#	src/qt/zVitcontroldialog.cpp

* Fixed compile error

* [RPC] Fix clang error with vMintsToFind

* Handle zPIV seed db transition.

# Conflicts:
#	src/walletdb.cpp
#	src/walletdb.h

* Fixed compile error

* [Qt] Fix zPIV spend's nCount

Actually increment `nCount` in the loop when displaying the transaction
details so it doesn't stay at `0`.

* Require v1 zPIV to use security level 100.

* More description for spend that fails without using zpiv control dialog.

# Conflicts:
#	src/wallet.h

* Fixed compile error

* Add better help text to all zerocoin related RPC commands

Each command now includes the following:
- Numbered arguments (if any)
- Result example
- Sample call execution

`listzerocoinamounts` was also changed to return propper JSON

# Conflicts:
#	src/rpcwallet.cpp

* Fixed compile error

* Make all RPC commands use the same styling format

Added some missing help output, used EnsureWalletIsLocked where
applicable (more in the next commit), and improved code readability for
the help sections for each command.

# Conflicts:
#	src/rpcdump.cpp
#	src/rpcmisc.cpp
#	src/rpcwallet.cpp

* Teach EnsureWalletIsUnlocked() to accept unlock for anon only

Add an optional bool paramater to `EnsureWalletIsUnlocked()` that
defaults to `false` (current bahavior). If passed `true`, then only
require a partial unlock.

* [Staking] Fix Stake Split Threshold for PIV staking

This reintroduces the calculation on wither or not the wallet should
"split" the PIV stake input.

Note: zPIV staking never splits, and it shouldn't.

* [tests] Fix zPIV determinism test

* Make zpiv unarchiving work with zpivtracker.

* [Budget] Fix double-payment issue and replace "zPiv" by "zPIV" strings

# Conflicts:
#	src/init.cpp
#	src/libzerocoin/Denominations.cpp
#	src/main.cpp
#	src/masternode-budget.cpp
#	src/miner.cpp
#	src/qt/forms/privacydialog.ui
#	src/qt/pivxstrings.cpp
#	src/qt/privacydialog.cpp
#	src/qt/transactiontablemodel.cpp
#	src/qt/transactionview.cpp
#	src/rpcwallet.cpp
#	src/wallet.cpp

* Updated fundamental node

* [Budget] Additional log for Budget debugging

# Conflicts:
#	src/masternode-budget.cpp

* Updated fundamental node

* [Crypto] Bignum getcompact return correct result

* [Crypto] Remove BigNum constructor implicitly calling SetHex

* [Crypto] Fix %= and /= bignum operators

* [Crypto] minor changes on BigNum uses

* dzpivstate RPC call. Displays state of deterministic zpiv wallet.

* Do not archive zpiv orphans on IDB.

- Do not archive zpiv orphans on IDB. This should handle most problems with zpiv being archived when resyncing.
- Speed up CzPIVWallet::SyncWithChain() by reducing calls to GetTransaction().
- Speed up CzPIVWallet::SyncWithChain() by adding a LOCK(cs_main).
- Do not remove mints from the mint pool from init, let the syncing process do it naturally.

* Make sure that mintpool checks all mints.

* Readd zPIV tx's during -zapwallettxs

# Conflicts:
#	src/init.cpp

* Fix segfault on importzerocoins RPC.

* More efficient scanning during zapwallettxes.

# Conflicts:
#	src/init.cpp

* Add multithreading to RPC searchdzpiv.

* Save searched dzpiv to DB. Less verbosity.

* [Budget] Improved double-payment-handling.

# Conflicts:
#	src/masternode-budget.cpp

* Updated fundamental node

* [Wallet] Fix ListMints when returning only unused mints

Needed to move up the logic/checks for filtering out unused mints to get
a propper output with `exportzerocoins false`.

* custom wallet backup paths

# Conflicts:
#	src/wallet.cpp

* Fixed compile error

* Fix first run initialization of zwallet with encrypted wallet.dat file

When running the client with a `wallet.dat` file that has never
initialized it's zwallet or dzPIV, there is an incorrect code pathway
that leads to the dzPIV seed hash never being written to the wallet
file. Instead, we copy the seed generation code into `crypter.cpp` which
will allow for proper dzPIV seed generation upon first unlock.

* Use smart pointers to keep better track of memory.

- Convert the raw ptr to zpivTracker in CWallet to unique_ptr.
- Change the CheckProofOfStake() process to use unique_ptr.

* [Fix] fix translation build error

# Conflicts:
#	src/qt/walletmodel.cpp

* Do not rely on chainActive with contextual checks.

This can lead to situations of rejecting valid blocks that are from a competing fork.

* Use unique_ptr for stake input list.

* [Wallet] Refactor ListMints to more quickly detect orphan/failed stakes

* [Staking] Exit CreateCoinStake loop if wallet locked/shutdown

If the wallet gets locked or a shutdown is requested in the middle of
the stakeinput loop, there is no sense in continuing.

* [Output] Log network message receives as "net" debug category

These messages spam the log constantly and should be classified in the
"net" debug category instead of uncategorized.

* Remove/replace logging that is not necessary.

* [Budget] Handling of too few votes for finalized budget fixed

* Updated fundamental node

* Fix compilation

* Add minimum zPIV maturity consideration to GetMintMaturityHeight().

The zPIV should not be considered mature unless it has 1 mint that occured after it AND the mint is at least two checkpoints deep.

* Factor out components of ListMints() so that it is more legible.

* Simplify and document -custombackupthreshold

Also move -backuppath and -zpivbackuppath to more appropriate areas in
the help output.

# Conflicts:
#	src/init.cpp

* Cleanup log spam & add additional check to archive zpiv stake orphans.

My log was showing stake orphans getting stuck with the message "Found orphanded mint txid=.....". This is supposed to ignore it for the existing iteration and then clean it up next time ListMints() is called. This was not happening to stake transactions, so logic is added to archive the mint if it is coinstake.

* [Budget] Spread out voting on finalized budget for testnet also.

# Conflicts:
#	src/masternode-budget.cpp

* Updated fundamental node

* Display -backuppath, -zpivbackuppath, -custombackupthreshold in wallet repair menu

also fix segfault when permission denied since trying to create directories before checking permissions

* Guard against non-integer input for GUI's custombackupthreshold

* [Core] Initialzed seed for rand()   (trivial change)

* Change spork key validity period. Minor spork code refactor.

* Merge bitcoin#583: [Docs] Update release notes for v3.1.0

53fc2dd [Docs] Update release notes for v3.1.0 (Fuzzbawls)

Tree-SHA512: 2df4411b3376aea24956f8c3e602bece66c92f6f74488bb5a22005bfaa7fab272a93417a76c520aae26a29dd2714270b73f72f3e7922377410a870ee68669c1b

# Conflicts:
#	doc/release-notes.md

* Merge bitcoin#584: [Doc] Update to zPIV staking and Thank you's

e46e49b Update to zPIV staking and Thank you's (Sieres)

Tree-SHA512: 21a43784106ea774e362c2b7d0ca7c1dfb8cb28460a9d7b56057c8becb68599b263510e6f838c441cef13835b722af49c497707b02c80f874432f8c5e7c2e8a6

# Conflicts:
#	doc/release-notes.md

* PIVX Core v3.1.0

# Conflicts:
#	configure.ac

* [Bug] Fix CMasternodeConfig::read

rebase from upstream. Windows doesn't initialize CService properly
during startup before the masternode.conf file is read.

# Conflicts:
#	src/masternodeconfig.cpp

* Updated fundamental node

* Fixed compile error

* Bump version to 3.1.0.1

Bugfix for Windows MN Controllers

* Merge bitcoin#593: 3.1.0.2 backport

43f6f1b Add unit test for budget value. (presstab)
9ee7d98 Update protocol to 70914. (presstab)
ebc4527 [Budget] Fix wrong budget amount (Mrs-X)

Tree-SHA512: 6d813ee5e9cc548ffd8b3c816f669a9b79a6b8118de73941fd3fc6d7be46ae2dbfa935d94d1b62c32c1700165ad5a637f87eeaa8cd36927d4d281193b9c84ada

# Conflicts:
#	src/version.h

* Bump version to 3.1.0.2

* Bump to 3.1.0.3

one-line change for `listtransactions`, this won't be a full release
with gitian builds, but a tag that exchanges/services can use as a
fixed-point reference if they need `listtransactions` compatibility.

* Merge bitcoin#584: [Doc] Update to zPIV staking and Thank you's

e46e49b Update to zPIV staking and Thank you's (Sieres)

Tree-SHA512: 21a43784106ea774e362c2b7d0ca7c1dfb8cb28460a9d7b56057c8becb68599b263510e6f838c441cef13835b722af49c497707b02c80f874432f8c5e7c2e8a6

# Conflicts:
#	doc/release-notes.md

* Merge bitcoin#585: [Doc] Change aarch assert sign output folder

a810714 [Doc] Change aarch assert sign output folder (Warrows)

Tree-SHA512: 1b454a87f526ec8edf96f28952f4dccce444bbedd7512a21188d155ab5e57e494d8306529eccc0a280417895dc0e4b7718a233b883cfcffd84fd89f5c9d4e280

# Conflicts:
#	doc/release-process.md

* Merge bitcoin#595: [Tests] Fix chain ordering in budget tests

3a6b152 [Tests] Fix chain ordering in budget tests (Fuzzbawls)

Tree-SHA512: c94c7511d088bffc9568045b48b5fac8f10cceb4561e1d3a58fda3cb64227aee163280e9ad553157b206bd36257f516c34c697e8df4eeea153ffc8a44753a17a

* Merge bitcoin#596: [Build] Bump master to 3.1.99

5d73f63 [Build] Bump master to 3.1.99 (Fuzzbawls)

Tree-SHA512: 7d421685e1f3b90dfc4f536b679436f0d8bbd82614996aa7e76541ff9ad572e729063fb699d70778ea3f4acb2576713ebd3bbb49966d8e82a79945723419b256

# Conflicts:
#	configure.ac
#	contrib/gitian-descriptors/gitian-aarch64.yml
#	contrib/gitian-descriptors/gitian-linux.yml
#	contrib/gitian-descriptors/gitian-osx.yml
#	contrib/gitian-descriptors/gitian-win.yml

* Merge bitcoin#597: [Wallet] Write new transactions to wtxOrdered properly

b2fdbbf [Wallet] Write new transactions to wtxOrdered properly (Fuzzbawls)

Tree-SHA512: b0bd54c9bd7fb44c18d7d4d84213b96b48dc22b35825c0a0f268b3f99086e8beeea7de5aed07cc575ee7dae0ce095e0438eb7e89454bae54551478ea5f81661d

* [Refactor] Delete secp256k1 folder for subtreefication

# Conflicts:
#	src/secp256k1/.gitignore
#	src/secp256k1/.travis.yml
#	src/secp256k1/COPYING
#	src/secp256k1/Makefile.am
#	src/secp256k1/README.md
#	src/secp256k1/TODO
#	src/secp256k1/configure.ac
#	src/secp256k1/include/secp256k1.h
#	src/secp256k1/libsecp256k1.pc.in
#	src/secp256k1/obj/.gitignore
#	src/secp256k1/src/bench_inv.c
#	src/secp256k1/src/bench_sign.c
#	src/secp256k1/src/bench_verify.c
#	src/secp256k1/src/ecdsa.h
#	src/secp256k1/src/ecdsa_impl.h
#	src/secp256k1/src/eckey.h
#	src/secp256k1/src/eckey_impl.h
#	src/secp256k1/src/ecmult.h
#	src/secp256k1/src/ecmult_gen.h
#	src/secp256k1/src/ecmult_gen_impl.h
#	src/secp256k1/src/ecmult_impl.h
#	src/secp256k1/src/field.h
#	src/secp256k1/src/field_10x26.h
#	src/secp256k1/src/field_10x26_impl.h
#	src/secp256k1/src/field_5x52.h
#	src/secp256k1/src/field_5x52_asm.asm
#	src/secp256k1/src/field_5x52_asm_impl.h
#	src/secp256k1/src/field_5x52_impl.h
#	src/secp256k1/src/field_5x52_int128_impl.h
#	src/secp256k1/src/field_gmp.h
#	src/secp256k1/src/field_gmp_impl.h
#	src/secp256k1/src/field_impl.h
#	src/secp256k1/src/group.h
#	src/secp256k1/src/group_impl.h
#	src/secp256k1/src/java/org/bitcoin/NativeSecp256k1.java
#	src/secp256k1/src/java/org_bitcoin_NativeSecp256k1.c
#	src/secp256k1/src/java/org_bitcoin_NativeSecp256k1.h
#	src/secp256k1/src/num.h
#	src/secp256k1/src/num_gmp.h
#	src/secp256k1/src/num_gmp_impl.h
#	src/secp256k1/src/num_impl.h
#	src/secp256k1/src/scalar.h
#	src/secp256k1/src/scalar_4x64.h
#	src/secp256k1/src/scalar_4x64_impl.h
#	src/secp256k1/src/scalar_8x32.h
#	src/secp256k1/src/scalar_8x32_impl.h
#	src/secp256k1/src/scalar_impl.h
#	src/secp256k1/src/secp256k1.c
#	src/secp256k1/src/testrand.h
#	src/secp256k1/src/testrand_impl.h
#	src/secp256k1/src/tests.c
#	src/secp256k1/src/util.h

* Merge commit '8a901f93d505af3516353837600fd71a0c53a692' as 'src/secp256k1'

* [Crypto] Switch from openssl to secp256k1 for consensus

[Refactoring] Moved and removed some stuff
-Removed duplicated arith uint files
-Removed unused variables
-Move keystore impls to .cpp instead of .h
-Removed useless function in key.cpp
[Crypto] fix bip38 compilation for latest libsecp256k1
[Compilation] Change compilation and some code to use libsec instead of sslcrypto
[Crypto] Update keys to comply with latest secp256k1 lib

# Conflicts:
#	src/Makefile.am
#	src/arith_uint256.cpp
#	src/arith_uint256.h
#	src/eccryptoverify.cpp
#	src/eccryptoverify.h
#	src/ecwrapper.cpp
#	src/ecwrapper.h
#	src/key.cpp
#	src/key.h
#	src/pubkey.cpp
#	src/pubkey.h
#	src/uint512.h

* [Tests] Add new auto generated script tests

* [Crypto] Bring back function CKey.SetPrivKey for zPIV

* Fixed compile error

* [Crypto] Add ctx initialisation for bip38

* [Tests] Fix chain ordering in budget tests

check testnet params first, then check mainnet so as to not interfere
with subsequent unit tests that rely on mainnet params.

Also clean up include ordering.

Github-Pull: bitcoin#595
Rebased-From: 3a6b152

* Only enable/disable PrivacyDialog zPIV elements if needed.

Currently the zPIV buttons are constantly updated to enabled or disabled even if they are already in the correct state.

Github-Pull: bitcoin#600
Rebased-From: 2b76f31

# Conflicts:
#	src/qt/privacydialog.cpp

* Fix spending for v1 zPIV created before block 1050020.

The transition to v2 zPIV and reset of the accumulators caused blocks 1050000 - 1050010 to be accumulated twice. This was causing many v1 zPIV to not create valid witnesses. This problem is fixed by double accumulating blocks 1050000-1050010 when creating the witness.

Github-Pull: bitcoin#603
Rebased-From: abee3d9

* Add getaccumulatorvalues RPC.

Return the accumulator values associated with a particular block height.

Github-Pull: bitcoin#603
Rebased-From: 8a6d425

* Remove log spam and ensure proper zpiv version is used.

Github-Pull: bitcoin#603
Rebased-From: ccf6c77

# Conflicts:
#	src/wallet.cpp

* [GUI] Fix wrongly displayed balance on Overview tab

Github-Pull: bitcoin#598
Rebased-From: 6030877

# Conflicts:
#	src/qt/overviewpage.cpp

* Fixed Multisend dialog to show settings properly

Multisend will display a message if it has only been enabled for masternodes and if its enabled for both (Displaying this didnt work if multisend was only enabled for masternodes)
Github-Pull: bitcoin#580
Rebased-From: 40baa7d

# Conflicts:
#	src/qt/multisenddialog.cpp

* Update multisenddialog.cpp
Github-Pull: bitcoin#580
Rebased-From: 8dca829

# Conflicts:
#	src/qt/multisenddialog.cpp

* [Build] Remove unnecessary BOOST dependency

Github-Pull: bitcoin#605
Rebased-From: da3a6a5

* [Budget] Make sorting of finalized budgets deterministic

Github-Pull: bitcoin#608
Rebased-From: 93e637f

* Updated fundamental node

* Remove zPIV code from main.cpp

Github-Pull: bitcoin#609
Rebased-From: 873ef19

# Conflicts:
#	src/Makefile.am

* Renamed zpivchain to zvitchain

* Fixed compile error

* [Output] Properly log reason(s) for increasing a peer's DoS score.

Many of the MN related DoS checks had their log messages output only if
the client was running in debug mode, leading to unexplained peer bans.

Github-Pull: bitcoin#611
Rebased-From: fe14f5f

# Conflicts:
#	src/masternode-budget.cpp
#	src/masternodeman.cpp

* [Build] Make sure Boost headers are included for libzerocoin

Custom boost locations not using pkg_config can result in a header
include not being found when compiling the libzerocoin library. This
quick fix ensures that the `BOOST_CPPFLAGS` are explicitely included.

Github-Pull: bitcoin#622
Rebased-From: 811785c

# Conflicts:
#	src/Makefile.am

* Update zPIV stake set more frequently.

Github-Pull: bitcoin#617
Rebased-From: 355e2d3

* Lower stake hashdrift to 30 seconds.

Lower the hash drift which should reduce the amount of orphans.

Github-Pull: bitcoin#617
Rebased-From: 4c862f2

* [UI] Remove useless help button from QT dialogs

Github-Pull: bitcoin#629
Rebased-From: 4dc636c

# Conflicts:
#	src/qt/askpassphrasedialog.cpp
#	src/qt/zVitcontroldialog.cpp

* Merge bitcoin#521: [GUI] Make "For anonymization and staking only" checked by default

4e5b73e [GUI] Make "For anonymization and staking only" checked by default (Mrs-X)

Tree-SHA512: 53d5aa663269efdb82cb2d8961f2eae4aebc03a6d96d15d990b357385584e365935f012eb9410b81de891a1d1ed75fbfe88937b2e87df12db148b1d6e3c015a5

# Conflicts:
#	src/qt/askpassphrasedialog.cpp
#	src/qt/masternodelist.cpp
#	src/qt/walletview.h

* Fixed compile error

* [Wallet] Add some LOCK to avoid crash

Github-Pull: bitcoin#625
Rebased-From: ed23d0d

* [Qt] Show progress percent for zpiv reindex operations

`-reindexaccumulators` and `-reindexzerocoin` can take a considerable
time to complete depending on system hardware. Lets show a progress percent
 similar to `VerifyDB()` on the splashscreen.

Github-Pull: bitcoin#612
Rebased-From: 48e502a

# Conflicts:
#	src/main.cpp

* Guard against division by zero for reindex zerocoin/accumulators

in the event that the local chainActive is equal or below that of the
relevant zerocoin block heights, there is nothing to do, so bypass
the internal process.

Github-Pull: bitcoin#612
Rebased-From: bed79e2

# Conflicts:
#	src/main.cpp

* Move ReindexAccumulators() call to be inside parent conditional

Not much point in checking if the listAccCheckpointsNoDB list is empty
outside of when the wallet is started using `-reindexaccumulators`, as
it is always empty outside of that case.

Github-Pull: bitcoin#612
Rebased-From: 5127486

# Conflicts:
#	src/init.cpp

* [Travis] Add separate job to check doc/logprint/subtree

Break out a new job to do the basic linting that check-dock.py and
logprint-scanner.py did.

Also add new scripts to check the sanity of
any git subtrees and to check that new pull requests don't contain any
trailing whitespace.

Also, remove the outdated slack notification callback

Github-Pull: bitcoin#639
Rebased-From: 6f695b5

# Conflicts:
#	.travis.yml

* [Main] Write to the zerocoinDB in batches

instead of using a separate write operation for each and every bit of
data that needs to be flushed to disk, utilize leveldb's batch writing
capability.

Github-Pull: bitcoin#636
Rebased-From: cd672cd

* Remove unnecessary whitespaces

Github-Pull: bitcoin#646
Rebased-From: a554259

# Conflicts:
#	src/qt/privacydialog.cpp

* [Utils] Add copyright header to logprint-scanner.py

Github-Pull: bitcoin#649
Rebased-From: 79d618f

* [Doc] Change aarch assert sign output folder
Github-Pull: bitcoin#585
Rebased-From: a810714

# Conflicts:
#	doc/release-process.md

* Check whether tx is in chain in ContextualCheckZerocoinMint().

Github-Pull: bitcoin#610
Rebased-From: c4141aa

* Merge bitcoin#651: [Doc] Release notes for v3.1.1

6bdef7a [Doc] Release notes for v3.1.1 (Fuzzbawls)

Tree-SHA512: 8fb6c3ef52064b5542c5acdd2b93165fd2f1054b9e2ba607fcdfde3c5c4bbd6e6b8f05ac2fff53e97791c23be6366d60af1957e6e76786daecad591d3d4f8f9b

# Conflicts:
#	doc/release-notes.md

* Bump version to 3.1.1

# Conflicts:
#	configure.ac

* Fixed coin name

* Fixed coin name

* Fixed coin name

* Fixed coin name

* Fixed coin name

* Fixed coin name

* Fixed wrongly replaced coin names

* Update Nomenclature

CzPIVWallet to CzVITWallet

* More Nomenclature Fixes

CzPIVWallet to CzVITTracker

* Fixed compile error

Co-authored-by: Mrs-X <Mrs-X@users.noreply.github.com>
Co-authored-by: Fuzzbawls <fuzzbawls@gmail.com>
Co-authored-by: presstab <presstab1337@gmail.com>
Co-authored-by: gpdionisio <gianpiero.dionisio@protonmail.ch>
Co-authored-by: warrows <warrows@gamer666.fr>
Co-authored-by: Anthony Posselli <anthony@paddington.services>
Co-authored-by: Warrows <Warrows@users.noreply.github.com>
Co-authored-by: rejectedpromise <rejectedpromise@gmail.com>
Co-authored-by: SHTDJ <36552562+SHTDJ@users.noreply.github.com>
Co-authored-by: Crypto Pliskin <13294167+2a5A1Ghu1@users.noreply.github.com>

* Fixed testnet

* Update testnet spork key

* Fixed travis error that caused by check-doc.py

* Removed unused check in travis

* Fixed travis error

* Disabled some unit tests to pass travis

* Disabled some unit tests to pass travis

* Fixed missing bracket in rpcwallet.cpp from merge

* Incremented version to v4.5.0

* Updated spork and zerocoin chain parameters

* Incremented protocol and swapped protocol spork from 18 to 14

* Removed seesaw

* Added spork for enabling removal of seesaw reward algorithm

* Added spork for enabling removal of seesaw reward algorithm & updated spork parameters

* Updated DNS and fixed seeds

* Updated DNS and fixed seeds

* Updated spork parameters

* Adjusted spork parameters

* Fixes for OSX builds on newer OS versions

* Updated release copyright year

* Updated release-nodes.md

* Updated macro name in blocksignature.h

* Updated MIN_PEER_MNANNOUNCE protocol version

* Fixed references to zerocoin spork

* Fixed wrong balance displayed in overview

* Removed unused function SliceHash

* Fixed references to Spork 16

* Fixing compiler warning for rpcfundamentalnode.cpp

* Updated macro names

* Fixed naming for staking rewards

* Fixed references to zVITAE

* Fix FN Label

There may be some compatability issues with this fix and upstream.

* Added checkpoint

* Added checkpoint

* Updated release-notes.md

* Reject blocks that have no previous block

* Adding const to exception catching

* Set AA_EnableHighDpiScaling attribute early

* Updated VITAE copyright string

* Fixed wrongly removed code about mapStakeSpent

* [Wallet] Increase valid range for automint percentage

* [Docs] OSX Build - Instructions on how to make the Homebrew OpenSSL headers visible

* [Qt] Remove Growl support

Growl hasn't been free nor needed for many years. MacOS versions since
10.8 have the OS notification center, which is still supported after
this.

* [Qt] Add Tor service icon to status bar

Tor Icon is displayed when the client is initialized with a successful
tor service connection.

Icon is hidden otherwise.

* Updated naming for zvitaebackuppath

* Updated exception to const in rpcwallet.cpp

* Updated spork key dates for testnet

* Added checkpoint

Co-authored-by: Wang Qi <wqking@users.noreply.github.com>
Co-authored-by: Mrs-X <Mrs-X@users.noreply.github.com>
Co-authored-by: Fuzzbawls <fuzzbawls@gmail.com>
Co-authored-by: presstab <presstab1337@gmail.com>
Co-authored-by: gpdionisio <gianpiero.dionisio@protonmail.ch>
Co-authored-by: warrows <warrows@gamer666.fr>
Co-authored-by: Anthony Posselli <anthony@paddington.services>
Co-authored-by: Warrows <Warrows@users.noreply.github.com>
Co-authored-by: rejectedpromise <rejectedpromise@gmail.com>
Co-authored-by: SHTDJ <36552562+SHTDJ@users.noreply.github.com>
Co-authored-by: Crypto Pliskin <13294167+2a5A1Ghu1@users.noreply.github.com>
Co-authored-by: wqking <wqking@outlook.com>
rajarshimaitra pushed a commit to rajarshimaitra/bitcoin that referenced this issue Aug 5, 2021
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Sep 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants
@TheBlueMatt @roconnor @dmgores @JonasPertschy and others